A newly discovered first-stage implant targeting Korean-speaking victims borrows code from another reconnaissance tool linked to Comment Crew, a Chinese nation-state threat actor that was exposed in 2013 following cyber espionage campaigns against the United States.

Dubbed Oceansalt, the threat has been spotted on machines in South Korea, the United States, and Canada.

The adversary used spear phishing to lure victims into opening Microsoft Excel and Word documents with content in Korean, specially crafted to download the malware.

Oceansalt makes victims outside South Korea

"Our research suggests the targets were those who would read documents related to South Korea’s public construction expenses, Inter-Korean Cooperation fund, or other global financial data," researchers at McAfee write in a report shared with BleepingComputer.

They suspect financial theft as a possible motivation for the attack, and that it was intended as a precursor to a huge compromise because Oceansalt would give its operator full control of the infected systems and the networks they connected to.

According to telemetry data from McAfee, as of August 14, Oceansalt was present on the infrastructure of companies in the United States and Canada.

Oceansalt victims outside South Korea

The researchers could not find the malicious documents for spear phishing organizations in these countries, suggesting the possibility that the implant came via a different attack, separate from the one targeting Korean speakers.

The Excel and Word documents that retrieved the malware included a macro script with instructions to download Oceansalt upon launching the document.

Link to Comment Crew's eight-year old-implant

Researchers at McAfee found that Oceansalt had similar code with Seasalt, an implant with a compiled in 2010 the implant used by Comment Crew for its operations.

The overall similarity is 21% and refers only to unique snippets. Apart from this, they also share similarities as far as functions are concerned and have identical command capabilities.

Seasalt strings in Oceansalt

Furthermore, the codes for commands and requests exchanged with the command and control (C2) server are the same in both cases.

"Both implants execute their capabilities in the same way, which indicates they were both developed from the same code base," notes the report.

Oceansalt and Seasalt commands

Comment Crew unlikely to return, but its work persists

Comment Crew, also known as APT1, was exposed in 2013 in a report from Mandiant that offered details about operations, capabilities, malware arsenal, techniques, and identities of individuals in the group.

The report came after the collective targeted at least 30 US defense contractors in cyber attacks, and it was so damaging that the collective ceased its activity and was never heard of since.

McAfee researchers do not believe that the group resurrected this year after all this time but come with some theories that explain the code reuse in new tools without leaking the source code.

The first theory is that Oceansalt is the result of a code-sharing agreement between two threat actors.

Another one is that the code was stolen from the original group or leaked by a former Comment Crew member.

All this could also be a false flag planted to throw researchers off track and decrease chances of clear attribution, "to make it appear that China and North Korea have collaborated on this cyberattack."

Ionut Ilascu is freelancing as a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia.